The Cantonal Council of the Canton of Zurich passed the total revision of the IDG (the law on information and data protection) on March 23, 2026 by 153 votes to 24:
- Business of the Cantonal Council No. 5923
- Preliminary draft of the Directorate of Justice and Home Affairs
- Synoptic presentation of the preliminary draft with explanations from the Directorate of Justice and Home Affairs
- Proposal of the Government Council
- Final version (motion adopted by the editorial committee)
- Minutes from the consultation on 24.11.2025
We have the current version in each case with the excerpts from the Government Council’s proposal compiled.
The fully revised law is not yet in force and the date of entry into force has not yet been set; the implementing ordinance (IDV) must first be drawn up. A date in mid-2027 is likely, until then the following will apply today’s IDG and the IDV.
Background
The Canton of Zurich’s IDG dates back to 2007 and regulates both data protection and the principle of public access. In 2020, the cantonal government initiated a complete revision based on an evaluation (2013−2017), parliamentary initiatives, European legal requirements (Council of Europe Convention 108+, Schengen) and the complete revision of the federal FADP. A partial revision had already implemented the minimum requirements under European law in 2019.
The consultation process began on June 28, 2022, and on July 5, 2023, the Government Council adopted bill 5923. The biggest point of contention was a passage proposed by the Government Council, according to which minutes of non-public meetings, including motions, co-reports and statements by the executive, should generally remain under lock and key. The subsequent debate amended this point at the request of the Committee for State and Municipal Affairs (STGK).
The Cantonal Council discussed the bill in several meetings (September 15 and November 24, 2025).
Significant innovations
- Representative for the principle of publicity and data protection: The existing DPO will have a dual function: it will now also advise authorities and municipalities on the principle of public access and can conduct arbitration proceedings in the event of disputes regarding access to information. The public body is obliged to participate.
- Exceptions to access to informationAccess to information: In the case of government council and municipal council business, applications, co-reports, statements and minutes are excluded from access to information. Municipalities may restrict these exceptions or declare them inapplicable.
- Open Government Data: Open government data is information that a public body makes freely accessible in machine-readable form and that can be used without restriction. Public bodies may publish such data; the central administration must, provided that there is no law or overriding public or private interests to the contrary.
- AI registerEvery public body must keep a publicly accessible list of the algorithmic decision-making systems it uses, insofar as these can have an impact on fundamental rights – the threshold is deliberately set low, the possibility of a violation of fundamental rights is sufficient. The term „algorithmic decision-making systems“ deliberately covers both rule-based and machine learning systems. The minimum specifications are to be regulated by the Government Council in the ordinance.
- Notification obligation for AI-supported processing: When obtaining personal data, the public body must actively inform about the possible use of algorithmic decision-making systems, and when requesting information, the data subjects must be informed if their data has been processed using AI.
- Assessment of the consequences of fundamental rights: Every time algorithmic systems are used, a fundamental rights impact assessment (GRFA) must be carried out to identify and reduce fundamental rights risks. The RIA may be added to the DPIA (but can also be taken together).
- Pilot testsPublic bodies may process special personal data as part of pilot tests without a formal legal basis, with the approval of the cantonal government (in the case of municipalities, the municipal council) and for a maximum of five years.
- Consent: Public bodies may process data if the data subject consents, analogous to Art. 34 FADP. Explicit consent is required for special personal data.
- Profiling: Profiling (defined as the automated evaluation of information to analyze key personal characteristics or predict personal developments) now requires a basis in a formal law.
- Proportionality: This principle is now regulated in a separate paragraph.
- Information processing by third partiesOrder processing is being tightened up somewhat due to increasing outsourcing to the cloud.